short Botnet list and Cashing in on DoS
vixie at vix.com
Sat Oct 9 13:35:34 UTC 2004
> Most ISP's wouldn't have to deal with this problem if corporations took
> the time to release better products.
The average corporation is in business to make money. Releasing a better
product than is required to enable revenue and deal with competition would
be irresponsible to their shareholders. But let's stay out of that rathole
on this latest trip down this topic.
> I was faced with the question of "What do you do for infected clients?"
> What can an ISP do.
1. Do BCP38. Have your CFO read SAC004. Implement source address validity
checks. Ensure that the ~50% or more of DDoS packets generated in the world
that has invalid source addresses cannot come from your network -- this will
make botnets made up of your clients less valuable in the ddos-for-hire
world -- in other words, malfeasants will try less hard to create them, and
other malfeasants will pay less to acquire them.
2. Filter aggressively. Run a dark-net, and if one of your customers hits it,
blackhole their /32 for both inbound and outbound traffic, flag their record
in your customer database, and wait for them to call. When they call, give
them a list of anti-virus products for their 'puter, and the phone numbers
(yes, sorry, no web access for them at the moment) of some vendors. This
will cost you some top line revenue, but save your margins.
> Yes their is little that can be done right now, but yet there ARE things
> that CAN BE DONE. ... I say nip it at the bud, if you're an upstream
> provider and you see some of these issues, three strikes shut these
> things down, or nullroute them, don't just sit twiddling your thumbs "Oh
> but that won't help your idea is silly because foo_x reason." ...
Yea, verily. This is not an impossible problem for this community; it is
only an impossible problem for any one of us acting totally independently.
And while the solution isn't instant, the tide CAN be turned.
More information about the NANOG